Overview

overview

10

Static

static

Quotation0...oc.exe

windows7_x64

10

Quotation0...oc.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    24-06-2020 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation062821920 Doc.exe

  • Size

    1.4MB

  • MD5

    28790f7b37df5c55d19af17fe5c26e90

  • SHA1

    ebe03b0be96acbf76a32aaa8f99fb0b80050ba92

  • SHA256

    288e0e5c83a6fbde926189bf71e44dcb7a6516f726cc5985c28a4c3c4499f30a

  • SHA512

    42bcf63a192ff93fa86ad1dd07896162be384e9a41bf8924956ae0ec86346c565245ea3e828f07e7802494c5e05ef52ca7e0abdd9e07cc570e740b01ea32c891

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.oneirochemicals.net
  • Port:
    587
  • Username:
    qa@oneirochemicals.net
  • Password:
    One$1234

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation062821920 Doc.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation062821920 Doc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1700-0-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1700-1-0x0000000000448CBE-mapping.dmp
    Download
  • memory/1700-2-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download